Latest revision as of 09:43, 30 September 2014

Release Notes, 2013.2.4

The 2013.2.4 release is a Havana bugfix update for OpenStack Compute (Nova), OpenStack Identity (Keystone), OpenStack Image Registry and Delivery Service (Glance), OpenStack Networking (Neutron), OpenStack Block Storage (Cinder), OpenStack Dashboard (Horizon), OpenStack Orchestration (Heat) and OpenStack Telemetry (Ceilometer). No further official Havana releases of these projects are planned.

The bugfixes contained in this release were backported from the development branches into a stable branch. The release is intended to be a low risk update with no intentional regressions or API changes.

Resolved Security Issues

OpenStack Compute (Nova)

OSSA 2014-011 / CVE-2014-0167 - RBAC policy not properly enforced in Nova EC2 API
OSSA 2014-017 / CVE-2014-2573 - Nova VMWare driver leaks rescued images

OpenStack Identity (Keystone)

OSSA 2014-013 / CVE-2014-2828 - Keystone DoS through V3 API authentication chaining
OSSA 2014-018 / CVE-2014-3476 - Keystone privilege escalation through trust chained delegation

OpenStack Image Registry and Delivery Service (Glance)

OSSA 2014-012 / CVE-2014-0162 - Remote code execution in Glance Sheepdog backend

OpenStack Networking (Neutron)

OSSA 2014-008 / CVE-2014-0056 - Routers can be cross plugged by other tenants
OSSA 2014-014 / CVE-2014-0187 - Neutron security groups bypass through invalid CIDR
OSSA 2014-019 / CVE-2014-4167 - Neutron L3-agent DoS through IPv6 subnet

OpenStack Dashboard (Horizon)

OSSA 2014-010 / CVE-2014-0157 - XSS in Horizon orchestration dashboard

OpenStack Orchestration (Heat)

OSSA 2014-016 / CVE-2014-3801 - Heat template URL information leakage

Bugs Fixed

In total, 180 launchpad bugs are fixed by this update.

Known Issues and Limitations

Neutron

There is a known issue in all Havana releases that results in Neutron DHCP agent constantly resyncing its state once a network and a subnet is created with a gateway outside of it. To avoid this, users are encouraged to set force_gateway_on_subnet to True in neutron.conf. https://bugs.launchpad.net/neutron/+bug/1304181

@@ Line 10: / Line 10: @@
 === OpenStack Compute (Nova) ===
-* [http://lists.openstack.org/pipermail/openstack-announce/2014-March/000213.html OSSA 2014-009] / [https://launchpad.net/bugs/1221190 CVE-2014-0134] - Nova host data leak to vm instance in rescue mode.
 * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000219.html OSSA 2014-011] / [https://launchpad.net/bugs/1290537 CVE-2014-0167] - RBAC policy not properly enforced in Nova EC2 API
 * [http://lists.openstack.org/pipermail/openstack-announce/2014-May/000235.html OSSA 2014-017] / [https://launchpad.net/bugs/1269418 CVE-2014-2573] - Nova VMWare driver leaks rescued images
 === OpenStack Identity (Keystone) ===
-* [http://lists.openstack.org/pipermail/openstack-announce/2014-March/000211.html OSSA 2014-007] / [https://bugs.launchpad.net/bugs/1282865 CVE-2014-0105] - Potential context confusion in Keystone middleware
 * [http://lists.openstack.org/pipermail/openstack-announce/2014-April/000221.html OSSA 2014-013] / [https://launchpad.net/bugs/1300274 CVE-2014-2828] - Keystone DoS through V3 API authentication chaining
-* [http://lists.openstack.org/pipermail/openstack-announce/2014-May/000231.html OSSA 2014-015] / [https://launchpad.net/bugs/1309228 CVE-2014-0204] - Keystone user and group id mismatch
 * [http://lists.openstack.org/pipermail/openstack-announce/2014-June/000240.html OSSA 2014-018] / [https://launchpad.net/bugs/1324592 CVE-2014-3476] - Keystone privilege escalation through trust chained delegation

Difference between revisions of "ReleaseNotes/2013.2.4"